| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 89877 | 2008-05-14 23:12:00 | kraken, storm and nugache | rugila (214) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 669457 | 2008-05-14 23:12:00 | Is there any good info about these anywhere on this forum? (I did check the search facility). Are there any suggestions for appropriate strategies to identify and/or counter any or all of them? (short of a complete redesign of the MS OS) |
rugila (214) | ||
| 669458 | 2008-05-15 00:56:00 | From what viewpoint? Are you a network sysadmin? An end user? What kind of environment - corporate or home? What kind of info are you looking for? | Erayd (23) | ||
| 669459 | 2008-05-15 05:32:00 | Thanx for the response Bletch. I'm both of a network administrator and end user. Environment is somewhat more extensive than home and somewhat less than corporate. Kind of a partnership. I'm looking for info on how to identify botnet infiltration and how to eradicate it, or at least to nullify any potential problems arising. My immediate reason for this post is that I received a bounceback spam email that purported to originate from a Win XP (SP2) machine in my network. A botnet using this machine as a remote seemed the most likely immediate explanation. So! What to do about it? A full scan with fully updated Norton Systemworks incl antivirus didn't identify any problems. I have a workaround I can easily live with which should bypass any potential problems as far as my own setup is concerned. But it's one that other members of this forum, given the main focus of this forum, may not want to use. And it doesn't fully address the issue of whether there has in fact been an infiltration, and if so what to do about it on XP machines. I think this topic should be of interest to other users of this forum besides myself. Thus I'm addressing the collective wisdom of the forum to see what can be found. Do you have experience of Botnets, and of any remedial action? :confused: |
rugila (214) | ||
| 669460 | 2008-05-15 06:11:00 | Botnets are more complicated than your average virus. And antiviruses tend to be a little behind in them too. Otherwise they wouldn't be the issue that they are. If I had a botnet, I think I'd just reinstall the OS and go hardcore with privacy settings/firewall. If botnets were easy, or at least not freaking near impossible to detect and destroy then they wouldn't be what they are, would they? What is this network? Are there any surfing/program install restrictions in use? |
Thebananamonkey (7741) | ||
| 669461 | 2008-05-15 07:14:00 | Thanx for the response Bletch. I'm both of a network administrator and end user. Environment is somewhat more extensive than home and somewhat less than corporate. Kind of a partnership.What exactly do you mean by this? Large soho-type setup? I'm looking for info on how to identify botnet infiltration and how to eradicate it, or at least to nullify any potential problems arising.If you haven't done this already, enable logging (on your network firewall, not on the PC) for *every* connection the suspect PC makes. That way you'll be able to see exactly what it's doing; if it's soley a work PC suspicious traffic should be very easy to pick up - most large botnets use some variant of IRC as their control protocol. Classifying traffic at layer 7 will also help identify things like non-http traffic running over tcp/80. My immediate reason for this post is that I received a bounceback spam email that purported to originate from a Win XP (SP2) machine in my network. A botnet using this machine as a remote seemed the most likely immediate explanation. So! What to do about it? A full scan with fully updated Norton Systemworks incl antivirus didn't identify any problems.Get rid of Norton systemworks. The corporate version of Nortons isn't bad, but the home one (the one bundled with systemworks) is terrible. Nod32 will do a far better job at catching things. If your organisation is large enough to use a standard image, just blow it away and re-image it. Otherwise, it may or may not be worth the trouble of finding it - if squashing the bastard will take longer than a reinstall (incl applications & settings) then just wipe it. Wasting more time hunting for it is pointless. I have a workaround I can easily live with which should bypass any potential problems as far as my own setup is concerned. But it's one that other members of this forum, given the main focus of this forum, may not want to use. And it doesn't fully address the issue of whether there has in fact been an infiltration, and if so what to do about it on XP machines. I think this topic should be of interest to other users of this forum besides myself. Thus I'm addressing the collective wisdom of the forum to see what can be found.Best thing you can do is to lock down your network properly. Remove any incoming portmaps that don't absolutely have to be there, and block *all* outgoing traffic on all ports. Run web traffic through a well-configured proxy (you may want to have a look at squid), this will prevent things other than http traffic sneaking out on this port. Enable thorough logging on your firewall, this will let you pick up any strange traffic that may be occuring, and help you pinpoint what is responsible. If you absolutely *must* use direct outgoing connections, firewall them properly to ensure that connections can only be made to the specific hosts you actually need to talk to - any direct outgoing port that allows communication to arbitary hosts is a major security hole. Is this the sort of info you were looking for? |
Erayd (23) | ||
| 669462 | 2008-05-15 07:28:00 | Re:bounceback spam email that purported to originate from a Win XP (SP2) machine in my network. How did you determine this, I mean no offence when i say this but it is fairly common practise to forge the "from address" in any spam type email. if you post the header data with any of your personal email details xxxx'd out i'd be happy to take a look. |
kersonan (13264) | ||
| 669463 | 2008-05-17 12:57:00 | Bletch A kind of SOHO should describe my setup well enough . Agree about Norton Systemworks . I didn't expect anything there, but since I had it thought I'd at least give it a try . Much of the rest of your post, if I read it correctly, seems to be good advice on taking the nautical equivalent of battening down the hatches either permanently or until (or if) the problem blows over . I'll have a good look at your suggestions, which are much appreciated, but my own inclinations (which I was moving towards doing anyway) are to do either or both of: (a) installing XP (or maybe Vista) on the second hard drive on that machine (all specs are plenty high enough) booting from that second drive, deleting the existing XP installation and being even more careful in the future, (have been reasonably careful to date - so where did this come from?) (b) disabling the direct internet access on that XP machine and channeling the internet traffic through a Mac which is part of the network My impression is that identifying and eradicating botnet problems is not at all straightforward (Thebananamonkey noted this above) and that negating their operation is at best somewhat time-consuming . I think these things (botnets) have the potential to become pretty serious internet problems, even more so than already . To date they may well be used largely for amplifying spam propagation and disguising its origins, along with the money to be made from advertisers etc by selling these abilities . But if unknown parties can control (at least some aspects of) large numbers of zombie computers this could have some pretty far-reaching implications . And are the security vendors (Symantec etc) taking much action in this area in ways of use to the average user? kersonan Yes, I'd be very happy if you could take a look at the following and give your opinion: **************************** From: "Mail Delivery System" <Mailer-Daemon@cag . csail . mit . edu> To: <RUGILA'S EMAIL ADDRESS> Subject: Mail delivery failed: returning message to sender Date: Wednesday, 14 May 2008 3:30 p . m . This message was created automatically by mail delivery software . A message that you sent could not be delivered to one or more of its recipients . This is a permanent error . The following address(es) failed: kardeiz@cs . cornell . edu (generated from kardeiz@cag . lcs . mit . edu) SMTP error from remote mailer after end of data: host penguin . cs . cornell . edu [128 . 84 . 96 . 11]: 550 5 . 7 . 1 Message rejected . ------ This is a copy of the message, including all the headers . ------ Return-path: <RUGILA'S EMAIL ADDRESS> Received: from 201-1-208-157 . dsl . telesp . net . br ([201 . 1 . 208 . 157] helo=setc-p4c6tkr8c0) by cag . csail . mit . edu with smtp (Exim 4 . 41) id 1Jw56X-0002zx-Vl for kardeiz@cag . lcs . mit . edu; Tue, 13 May 2008 20:44:31 -0400 X-Originating-IP: [07 . 15 . 578 . 8] X-Originating-Email: [kardeiz@cag . lcs . mit . edu] X-Sender: kardeiz@cag . lcs . mit . edu Message-Id: <20080513064459 . 3567 . qmail@setc-p4c6tkr8c0> To: <kardeiz@cag . lcs . mit . edu> Subject: Tired of overpaying for meds at your local pharm store? Here is the one stop solution for yo From: <kardeiz@cag . lcs . mit . edu> MIME-Version: 1 . 0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Spam-Score: 16 . 2 (++++++++++++++++) X-Spam-Report: Spam detection software, running on the system "k2 . csail . mit . edu", has identified this incoming email as possible spam . The original message has been attached to this so you can view it (if it isn't spam) or label similar future email . If you have any questions, see admin@cag . csail . mit . edu for details . Content preview: Tired of overpaying for meds at your local pharm store? Here is the one stop solution for you: Housing the world's largest selection of items in one online store, you can purchase meds from the comfort of your home . Hundreds of presc . meds available at just a click for all your health needs - no troublesome visits to the doc, and no exorbitant prices to pay . [ . . . ] Content analysis details: (16 . 2 points, 5 . 0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1 . 0 NO_REAL_NAME From: does not include a real name 3 . 6 SUBJECT_FUZZY_MEDS Attempt to obfuscate words in Subject: 1 . 3 INFO_TLD URI: Contains an URL in the INFO top-level domain 1 . 0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% [score: 0 . 7224] 1 . 5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 1 . 5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% [cf: 100] 0 . 5 RAZOR2_CHECK Listed in Razor2 (http://razor . sf . net/) 0 . 5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 2 . 0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [201 . 1 . 208 . 157 listed in dnsbl . sorbs . net] 2 . 6 RCVD_IN_DSBL RBL: Received via a relay in list . dsbl . org [< . org/listing?201 . 1 . 208 . 157>]" target="_blank">dsbl . org 0 . 7 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy [201 . 1 . 208 . 157 listed in combined . njabl . org] X-Spam-Flag: YES X-Scan-Signature: e00e6c4d5642ab155d6846c3857ea5d3 Tired of overpaying for meds at your local pharm store? Here is the one stop solution for you: Housing the world's largest selection of items in one online store, you can purchase meds from the comfort of your home . Hundreds of presc . meds available at just a click for all your health needs - no troublesome visits to the doc, and no exorbitant prices to pay . Recommended by healthcare professionals and thousands of satisfied customers worldwide - visit us today . . intway . info/images/" target="_blank">volia . intway . info **************************** |
rugila (214) | ||
| 669464 | 2008-05-17 13:07:00 | Is 201.1.208.157 your IP? If not, then it's just backscatter, and you don't need to worry - it didn't come from your machine at all. Regarding my comments above - I was recommending you leave it that way permanently, it's good practice to lock down networks properly. Note that the key point of running web access through another machine was to use a proxy (preventing direct connections) - if the mac is set to act as a router it defeats the whole point of locking things down. |
Erayd (23) | ||
| 669465 | 2008-05-18 11:23:00 | OK Bletch. Many thanks for your comments and assistance. Much appreciated. |
rugila (214) | ||
| 669466 | 2008-05-18 11:57:00 | IP address: 201.1.208.157 Reverse DNS: 201-1-208-157.dsl.telesp.net.br. Reverse DNS authenticity: [Verified] ASN: 27699 ASN Name: LACNIC-27648 IP range connectivity: 2 Registrar (per ASN): ARIN Country (per IP registrar): BR [Brazil] Country Currency: BRL [Brazil Real] Country IP Range: 201.0.0.0 to 201.63.255.255 Country fraud profile: Normal City (per outside source): Unknown Country (per outside source): BR [Brazil] Private (internal) IP? No IP address registrar: whois.lacnic.net Known Proxy? No Link for WHOIS: 201.1.208.157 How is the weather over there :) |
kersonan (13264) | ||
| 1 2 | |||||